path: root/kernel/include/uapi/linux/netfilter
Commit message (Collapse)AuthorAgeFilesLines
* Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-032-3/+18
| | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure.
* netfilter: ipset: Add skbinfo extension support to SET target.Anton Danilov2014-09-141-0/+10
| | | | | Signed-off-by: Anton Danilov <> Signed-off-by: Jozsef Kadlecsik <>
* netfilter: ipset: Add skbinfo extension kernel support in the ipset core.Anton Danilov2014-09-081-0/+12
| | | | | | | | | | | Skbinfo extension provides mapping of metainformation with lookup in the ipset tables. This patch defines the flags, the constants, the functions and the structures for the data type independent support of the extension. Note the firewall mark stores in the kernel structures as two 32bit values, but transfered through netlink as one 64bit value. Signed-off-by: Anton Danilov <> Signed-off-by: Jozsef Kadlecsik <>
* ipset: add forceadd kernel support for hash set typesJosh Hunt2014-03-041-2/+5
| | | | | | | | | | | | | | | | | | Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: Josh Hunt <> Signed-off-by: Jozsef Kadlecsik <>
* kernel: uapi: fix MARKMASK attr ABI breakageFlorian Westphal2014-02-141-2/+2
| | | | | | | | | | | | | | commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type) inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e. changing values of all further attributes. This causes 'ipset list' segfault on existing kernels since ipset no longer finds IPSET_ATTR_MEMSIZE (it has a different value on kernel side). Jozsef points out it should be moved below IPSET_ATTR_MARK which works since there is some extra reserved space after that value. Signed-off-by: Florian Westphal <> Signed-off-by: Jozsef Kadlecsik <>
* Prepare the kernel for create option flags when no extension is neededJozsef Kadlecsik2014-02-131-0/+6
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-231-0/+2
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-081-0/+1
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-231-0/+3
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <> Signed-off-by: Jozsef Kadlecsik <>
* netfilter: ipset: Support comments for ipset entries in the core.Oliver Smith2013-09-231-0/+4
| | | | | | | | | | | | | This adds the core support for having comments on ipset entries. The comments are stored as standard null-terminated strings in dynamically allocated memory after being passed to the kernel. As a result of this, code has been added to the generic destroy function to iterate all extensions and call that extension's destroy task if the set has that extension activated, and if such a task is defined. Signed-off-by: Oliver Smith <> Signed-off-by: Jozsef Kadlecsik <>
* Introduce new operation to get both setname and familyJozsef Kadlecsik2013-09-041-0/+8
| | | | | | | | ip[6]tables set match and SET target need to know the family of the set in order to reject adding rules which refer to a set with a non-mathcing family. Currently such rules are silently accepted and then ignored instead of generating a clear error message to the user, which is not helpful.
* set match: add support to match the countersJozsef Kadlecsik2013-04-092-4/+36
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <>
* Introduce the counter extension in the coreJozsef Kadlecsik2013-04-091-0/+5
| | | | Signed-off-by: Jozsef Kadlecsik <>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-095-0/+351
Signed-off-by: Jozsef Kadlecsik <>